How To Test Authoritative Zones (So You Think You Are Signed)

So we've generated some keys, run some commands, and uploaded some data to our parent zone. How do we know our zone is signed correctly? Here are a few ways to check.

Look for Key Data in Your Zone

One of the ways to see if your zone is signed, is to check for the presence of DNSKEY record types. In our example, we created two keys, and we expect to see both keys returned when we query for them.

$ dig @192.168.1.13 example.com. DNSKEY +multiline +noall +answer

; <<>> DiG 9.10.1 <<>> @192.168.1.13 example.com. DNSKEY +multiline +noall +answer
; (1 server found)
;; global options: +cmd
example.com.		300 IN DNSKEY 256 3 8 (
				AwEAAclob7q+ccvDwaTVuMM2ddGIynWyMwaZlhFrU6cC
				0qknWoPpkq0gIwTrYf3DJY+eIKPVHxrM+o2AoRIVhubG
				jfv1bT5wTYrawZstS84ejCQ+ehA+8DxKyeWUEzW0ZMBe
				OhyeG0cuQVK/p6Z1E096JLu0DjgbabLspequkw4M+HT7
				) ; ZSK; alg = RSASHA256; key id = 17694
example.com.		300 IN DNSKEY 257 3 8 (
				AwEAAdQ2ctHx8VmryndiOgpchXPdj3NwxMeUvAre6uYI
				5KELlFJUghTHrz+/CzEc8CXG8wwQ4ZvAey0FGV2nJAFC
				ENMxoRiCz0oSiQQxryNhACd3RnE2/D7G+ShwlOM6w53E
				wUJ/lsgu5UevSxFC+eA3fKeL3TWR44PH4iJQp9QmfW5v
				7qG8Sic/HQvBGBdOGfFtHAl0a4jDPBi57imS4YsHcUYD
				9bsWmhYWSHJKZ66+JnTiMS0nQM69YwBF43QfDKurs5R6
				qPUDiBlaMCzSxmlaBU6fsI1Mu/yIU8w1ewy26a42rUTU
				rPBC3Oa/zf9VQ8kpUrMZgJ7LEAA4xmR+qwWDh6U=
				) ; KSK; alg = RSASHA256; key id = 06817

Look for Signatures in Your Zone

Another way to see if your zone data is signed is to check for the presence of signature. With DNSSEC, every record[3]now comes with at least one corresponding signature known as RRSIG.

$ dig @192.168.1.13 example.com. SOA +dnssec +multiline

; <<>> DiG 9.10.1 <<>> @192.168.1.13 example.com. SOA +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31466
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;example.com.		IN SOA

;; ANSWER SECTION:
example.com.		300 IN SOA ns1.example.com. dnsadmin.example.com. (
				2014102111 ; serial
				10800      ; refresh (3 hours)
				1080       ; retry (18 minutes)
				2419200    ; expire (4 weeks)
				900        ; minimum (15 minutes)
				)
example.com.		300 IN RRSIG SOA 8 2 300 (
				20141121122105 20141022112105 17694 example.com.
				NqPGNLkUs40Lg/qq7Fv+bgyCwVB4s9PsHQOK6p9ZWWk3
				36z2Qz2WjM+Q19SlVBAPux9jijvcRcjGb6KREuxER9uX
				wdVeiGx9a4X+PaO3qTqdkiXuGS2XkK1kBm1CgwhVHTYV
				/nxVPrckU4/mpeUoFVjMnT49JkVJmgck63esPEU= )

The serial number was automatically incremented from the old, unsigned version. Named keeps track of the serial number of the signed version of the zone independently of the unsigned version. If the unsigned zone is updated with a new serial number that's higher than the one in the signed copy, then the signed copy will be increased to match it, but otherwise the two are kept separate.

Examine the Zone File

Our original zone file example.com.db remains untouched, named has generated 3 additional files automatically for us (shown below). The signed DNS data is stored in example.com.db.signed and in the associated journal file.

# cd /etc/bind/db
# ls
example.com.db	example.com.db.jbk  example.com.db.signed  example.com.db.signed.jnl

A quick description of each of the files:

  • .jbk: transient file used by named
  • .signed: signed version of the zone in raw format
  • .signed.jnl: journal file for the signed version of the zone

These files are stored in raw (binary) format for faster loading. You could reveal the human-readable version by using named-compilezone as shown below. In the example below, we are running the command on the raw format zone example.com.db.signed to produce a text version of the zone example.com.text:

# named-compilezone -f raw -F text -o example.com.text example.com example.com.db.signed
zone example.com/IN: loaded serial 2014112008 (DNSSEC signed)
dump zone to example.com.text...done
OK

Check the Parent

Although this is not strictly related to whether or not the zone is signed, a critical part of DNSSEC is the trust relationship between the parent and child. Just because we, the child, have all the correctly signed records in our zone doesn't mean it can be fully validated by a validating resolver, unless our parent's data agrees with us. To check if our upload to the parent is successful, ask the parent name server for the DS record of our zone, and we should get back the DS record(s) containing the information we uploaded in the section called “Upload to Parent Zone”:

$ dig example.com. DS

; <<>> DiG 9.10.1 <<>> example.com. DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49949
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.			IN	DS

;; ANSWER SECTION:
example.com.  61179	IN	DS	06817 8 1 66D47CE4B4F551BE5EDA43AC5F3109E8C98E2FAE
example.com.  61179	IN	DS	06817 8 2 71D9335416B7132519190A95685E18CBF478DCF4CA98867062777938F8FEAB89

External Testing Tools

The easiest ways to see if your domain name is fully secured is to use one of these excellent online tools.

  1. Verisign Labs DNSSEC Debugger: http://dnssec-debugger.verisignlabs.com/
  2. DNSViz: http://dnsviz.net/

Verisign DNSSEC Debugger

URL: http://dnssec-debugger.verisignlabs.com/

This tool shows a nice summary of checks performed on your domain name, and you can expand to view more details for each of the items checked to get a detailed report.

Figure 4.1. Verisign DNSSEC Debugger

Verisign DNSSEC Debugger

DNSViz

URL: http://dnsviz.net/

DNSViz provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace.

Figure 4.2. DNSViz

DNSViz



[3] Well, almost every record. NS records and glue records for delegations do not have RRSIG records like everyone else. If you do not have any delegations, then yes, every record in your zone will be signed and comes with its own RRSIG.